ESET discovers a campaign stealing bitcoins from darknet users

Next story

ESET researchers discover a trojanized Tor Browser that cybercriminals use to steal bitcoins from darknet market buyers

BRATISLAVA – ESET researchers have discovered a campaign, running unnoticed for many years, that distributed a trojanized version of the official Tor Browser package, using it to spy on its users and steal bitcoins from them.

“This malware lets the criminals behind this campaign see what website the victim is currently visiting. In theory, they can change the content of the visited page, grab the data the victim fills in to forms and display fake messages, among other activities. However, we have seen only one particular functionality – changing the cryptocurrency wallets,” explains Anton Cherepanov, ESET Senior Malware Researcher, who conducted the research.

The campaign has been targeted at Russian-speaking users of the anonymous Tor network. To distribute the malware-laden browser, the criminals promoted it – on various forums, and on – as the official Russian language version of the Tor Browser. Their goal was to lure language-specific targets to a pair of malicious – yet legitimate-looking – websites.

“At the first website, the user received a warning that their Tor Browser was outdated – regardless of the reality. Those who took this bait were redirected to a second website with an installer,” continues Cherepanov.

Following installation, the trojanized Tor Browser is a fully functional application. “The criminals didn’t modify binary components of the Tor Browser; instead, they introduced changes to settings and extensions. As a result, non-technically savvy people probably won’t notice any difference between the original version and the trojanized one,” comments Cherepanov.

Among these changes, all kinds of updates in the settings are disabled, and the updater tool is renamed to prevent the user from updating, which would mean losing the capabilities needed by the criminals.

Digital signature checks for add-ons are also disabled, allowing the attackers to modify any add-on and have it seamlessly loaded by the browser.

The criminals also made changes that notify a C&C server – which is located on an onion domain, and thus, accessible only through Tor – about the current webpage the victim is visiting, and serve the browser a JavaScript payload. “In theory, the attackers can serve payloads that are tailor-made to particular websites. However, during our research, the JavaScript payload was always the same for all pages we visited,” notes Cherepanov.

The JavaScript payload ESET researchers have seen targets three of the largest Russian-speaking darknet markets. This payload attempts to alter QIWI (a popular Russian money transfer service) or bitcoin wallets located on pages from these markets.

Once a victim visits their profile page in order to add funds to their account, directly using bitcoin payment, the trojanized Tor Browser automatically swaps the original bitcoin address with the address controlled by the criminals.

“During our investigation, we identified three bitcoin wallets that have been used in this campaign since 2017. Each such wallet contains relatively large numbers of small transactions; we consider this a confirmation that these wallets indeed were used by the trojanized Tor Browser,” comments Cherepanov.

At the time ESET researchers concluded their research, the total amount of received funds for all three wallets was 4.8 bitcoin, which corresponds to approximately 40,000 US dollars. “It should be noted that the real amount of stolen money is higher because the trojanized Tor Browser also alters QIWI wallets,” concludes ESET’s Anton Cherepanov.

For more details, read the blog post, “Fleecing the onion: Darknet shoppers swindled out of bitcoins via trojanized Tor Browser.” Make sure to follow ESET research on Twitter for the latest news.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single ‘in-the-wild’ malware without interruption since 2003. For more information, visit or follow us on LinkedInFacebook and Twitter.